When I see strange behavior with ZBFW, I remove the zone configuration from the all interfaces and re-apply it and it works. Same experience I have had with crypto map on interfaces. Also make sure you don't mess around with the zone self. Also make sure that you copy and paste acl names rather than typing it. I have made lost of mistakes when I re-type.
Thanks Pouya. Sent from my iPad On Oct 10, 2011, at 3:50 PM, Garrett Skjelstad <[email protected]> wrote: > That's how I got the error message reported in regarding all packets > dropped... > > Sent from my iPhone > > On Oct 10, 2011, at 14:41, Fawad Khan <[email protected]> wrote: > >> Garrett, >> >> did you try rebooting the box.. ??? ZFW have shown very weird behaviour at >> times and a reboot just fixes everything... (probably an ex-MS programmer >> wrote the code for ZFW in IOS ). >> >> >> >> FNK >> >> >> >> On Mon, Oct 10, 2011 at 5:34 PM, Garrett Skjelstad <[email protected]> >> wrote: >> that's why I sent a second message following up... I had copied and pasted >> the wrong snippet of code... >> >> The code is correct, hence the reason I get the error: >> >> >> %No specific protocol or access-group configured in class TEST-Inbound-CM >> for inspection. All packets will be dropped >> >> I have a reverse ZBF rule for traffic heading the other direction... >> >> Pretty much, I have a network on both sides of the ZBF FW, that I want to >> pass unrestricted, and I'm not exactly sure to go about doing that... >> >> -Garrett >> >> >> On Mon, Oct 10, 2011 at 1:24 PM, Fawad Khan <[email protected]> wrote: >> your configured class-map name is TEST-Outbound-CM >> >> >> however the one applied under the policy map is TEST-Inbound-CM.. >> >> >> from config standpoint,,, wrong CM is applied to the policy map.. This is >> common issue with IOS... even if something doesnt exist in the >> configuration, IOS accepts it as part of the command... However ASA is more >> hirerichal and does not accept any thing as an arguement which is not >> configured before. >> >> FNK >> >> On Mon, Oct 10, 2011 at 1:43 PM, Garrett Skjelstad <[email protected]> >> wrote: >> I'm trying to get a zone based firewall that would permit all protocols, >> from a specific network, >> >> However, when I use the inspect statement, I get an error on the reload that >> it's not valid. >> >> <snip> >> %No specific protocol or access-group configured in class TEST-Outbound-CM >> for inspection. All packets will be dropped >> %No specific protocol or access-group configured in class TEST-Inbound-CM >> for inspection. All packets will be dropped >> </snip> >> >> <pertinent code> >> policy-map type inspect Out-2-In-PM >> class type inspect TEST-Inbound-CM >> inspect >> class class-default >> drop >> >> zone-pair security outzone-to-inzone source out-zone destination in-zone >> service-policy type inspect Out-2-In-PM >> >> class-map type inspect match-any TEST-Outbound-CM >> match access-group name TEST-DestNetworks-ACL >> >> ip access-list extended TEST-DestNetworks-ACL >> permit ip any 172.30.0.0 0.0.255.255 >> permit ip any 172.31.0.0 0.0.255.255 >> </pertinent code> >> >> Am I using the wrong type of class map? >> >> Should I change inspect to be "pass", and that would have it work? >> >> Am I totally barking up the wrong tree? >> -Garrett >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
